Fanin v. United States Department of Veterans Affairs

572 F.3d 868, 2009 U.S. App. LEXIS 13207, 2009 WL 1677233

• Court: Court of Appeals for the Eleventh Circuit
• Decided: June 17, 2009
• Docket: 08-11102
• Status: Published

Opinion

CARNES, Circuit Judge:

Someone pulled off the trick of making an object disappear from a safe in a darkened office building over a cold and rainy weekend. Unfortunately, the magician never completed the trick by making it reappear. The missing object is hardly a stage prop. It is an external computer hard drive belonging to the Department of Veterans Affairs (VA) containing the unencrypted names, social security numbers, birth dates, and healthcare files of more than 198,000 living veterans. With that treasure trove of private data the hard drive is a pocket-sized gold mine for identity thieves. Where it is now is anybody’s guess. In the meantime, no one is applauding the trick, least of all the veterans. Some of them have sued the VA.

I.

Among the 198,000 living veterans whose personal data was on the hard drive that disappeared are Jim Henry Perkins and. Jesse Frank Qualls. Perkins and Qualls are Vietnam veterans with severe chronic post-traumatic stress disorder (PTSD). Because of their PTSD, both men participate in group therapy sessions and receive medical benefits from the VA. Both also see a doctor four times a year to update their prescriptions.

The VA issued press releases about the security breach on February 2 and 10, 2007. Shortly thereafter, it established a public hotline to answer veterans’ inquiries about the status of their personal information. Perkins called and was told that individuals whose data was missing would receive a letter. In March 2007 Perkins and Qualls received letters from the VA instructing them to obtain a free credit report and to put a “fraud alert” on their credit accounts. In late April, the VA offered Perkins, Qualls, and the other 198,-000 affected veterans one year of free credit monitoring.

Meanwhile, the VA’s Office of the Inspector General undertook an investigation into the contents of the equipment and the circumstances of its disappearance. The miá#ig hard drive was one of fifteen purchased in 2006 by the Birmingham VA Medical Center. The procedure was for information technology specialists to load data onto the hard drives and store them in safes each night. On the morning of January 22, 2007, an IT Specialist in Birmingham reported his external hard drive missing from the safe. The Office of the Inspector General concluded that the VA’s security plan did not comply with the agency’s own rules for securing data, and it improperly allowed the IT Specialist access to databases beyond the requirements of his job and the scope of his background check. It also concluded that the VA had failed to adequately supervise the IT Specialist, whose actions had violated the Privacy Act as well as the Health Insurance Portability and Accountability Act of 1996.

This lawsuit was filed against the VA on February 15, 2007, just thirteen days after the first public disclosure that the hard drive was missing. The two current plaintiffs joined in amended complaints filed in March and April 2007. Perkins and Qualls claim the stress caused by their fear of identity theft and arising from their loss of trust in the VA as the provider of their medical care aggravated their PTSD symptoms. Both men assert that the sleeplessness, isolation, anxiety, and anger that characterize their PTSD have grown worse than before. Perkins has received additional medication from his doctor, and Qualls has had his dosage increased.

Perkins and Qualls’ second amended complaint includes two broad categories of claims: those seeking monetary damages under the Privacy Act, 5 U.S.C. § 552a(g) and those seeking declaratory and injunctive relief under the Administrative Procedures Act (APA), 5 U.S.C. §§ 702-06. The APA claims are based on the VA’s alleged violations of the Privacy Act, 5 U.S.C. § 552a; the E-Government Act of 2002, 44 U.S.C. § 3501; the VA Claims Confidentiality Statute, 38 U.S.C. § 5701; the Trade Secrets Act, 18 U.S.C. § 1905; the Veterans Benefits, Health Care, and Information Technology Act of 2006 (VHBITA), 38 U.S.C. §§ 5721-28; and the Federal Information Security Management Act (FISMA), 44 U.S.C. §§ 3541-48. In January 2008 the district court granted the VA’s motion for summary judgment against all of Perkins and Qualls’ claims. This is their appeal.

II.

We review de novo the district court’s grant of summary judgment. Thomas v. Cooper Lighting, Inc., 506 F.3d 1361, 1363 (11th Cir.2007). Summary judgment is proper if “there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law.” Celotex Corp. v. Catrett, 477 U.S. 317, 322, 106 S.Ct. 2548, 2552, 91 L.Ed.2d 265 (1986); see also Fed R. Civ. P. 56(c). As the Supreme Court instructed us in Celotex, summary judgment should be granted when there is “a complete failure of proof concerning an essential element of the nonmoving party’s case.” 477 U.S. at 322-23, 106 S.Ct. at 2552.

A

We will start with whether Perkins and Qualls have offered evidence sufficient to create a genuine issue of material fact as to each element of a claim for monetary damages under the Privacy Act, 5 U.S.C. § 552a(g)(l)(D). Congress passed the Privacy Act in 1974 to “protect the privacy of individuals identified in information systems maintained by Federal agencies.” Doe v. Chao, 540 U.S. 614, 618, 124 S.Ct. 1204, 1207, 157 L.Ed.2d 1122 (2004) (quoting the Privacy Act, Pub.L. No. 93-579, § 2(a)(5), 88 Stat. 1896). In addition to creating a series of security and disclosure rules for agencies that possess individuals’ personal information, the Act creates a private right of action against an agency that “fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.” 5 U.S.C. § 552a(g)(l)(D). It specifies that if the agency acted intentionally or willfully:

[T]he United States shall be liable to the individual in an amount equal to the sum of — (A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and (B) the costs of the action together with reasonable attorney fees as determined by the court.

5 U.S.C. § 552a(g)(4).

We have recently stated the elements of a claim brought under this paragraph of the Privacy Act. The plaintiff must demonstrate that: (1) the government failed to fulfill its record-keeping obligation; (2) the agency acted intentionally or willfully in failing to perform its obligation; (3) the failure proximately caused an adverse effect on an individual; and (4) that individual suffered actual damages. Perry v. Bureau of Prisons, 371 F.3d 1304, 1305 (11th Cir.2004) (quoting Rose v. United States, 905 F.2d 1257, 1259 (9th Cir. 1990)).

Obtaining monetary damages under § 552a(g)(4) requires proof of “actual damages,” and in this circuit that means pecuniary losses. See Fitzpatrick v. IRS, 665 F.2d 327, 331 (11th Cir.1982), abrogated on other grounds by Doe, 540 U.S. 614, 124 S.Ct. 1204, 157 L.Ed.2d 1122. In Fitzpatrick the plaintiff retired from the IRS because of a mental disability. Id. at 328. His supervisor violated the Privacy Act by willfully disclosing Fitzpatrick’s condition to other people, which caused him to become paranoid, deeply depressed, and withdrawn from social activities because he feared that people knew of his mental condition. Id. at 328-29. However, Fitzpatrick presented no evidence of pecuniary loss such as the cost of additional medication or psychiatric care. As we noted, Fitzpatrick presented a fairly pure “key issue ... the meaning of ‘actual damages’ in subsection (g)(4)(A) of the [Privacy] Act.” Id. at 329. After consulting the legislative history, we held “that ‘actual damages’ as used in the Privacy Act permits recovery only for proven pecuniary losses and not for generalized mental injuries, loss of reputation, embarrassment or other non-quantifiable injuries.” Id. at 331.

Under Fitzpatrick, Perkins and Qualls cannot recover monetary damages under the Privacy Act without “proven pecuniary losses.” Id. Their complaint alleged that the men suffered pecuniary loss. Perkins’ affidavit also states that the VA’s security breach “has caused me to spend my own personal time and money to prevent and detect [identity theft].” (emphasis added). See generally Doe, 540 U.S. at 626 n. 10, 124 S.Ct. at 1211 n. 10 (noting that minor costs such as fees for running a credit report or receiving a Valium prescription would, as “actual damages,” open the door to the statutory minimum of $1,000 in damages); Fitzpatrick, 665 F.2d at 331 n. 7 (noting that “had appellant introduced evidence of expenses for psychiatric care necessitated by the disclosure, he could have recovered those expenses”). However, Perkins and Qualls have since abandoned any argument that they suffered pecuniary losses. Oral Arg. Tr. at 3:10— 3:30 (“Court: One of your clients at least pleaded that he had suffered some out of pocket [losses] ... but then again you didn’t argue it to [the district court], and didn’t argue it in your blue brief to us ... Attorney: ... That’s right.”); United States v. Ford, 270 F.3d 1346, 1347 (11th Cir.2001) (“[I]ssues and contentions not timely raised in the briefs are deemed abandoned.”); Hartsfield v. Lemacks, 50 F.3d 950, 953 (11th Cir.1995); Marek v. Singletary, 62 F.3d 1295, 1298 n. 2 (11th Cir.1995).

Instead of trying to meet Fitzpatrick’s requirement of actual pecuniary loss, Perkins and Qualls attack that decision directly. They argue that Fitzpatrick is distinguishable, that its reasoning is dicta, that it has been overruled or abrogated, and that it is inconsistent with decisions from other circuits. We are unpersuaded.

Perkins and Qualls attempt to march around Fitzpatrick by persuading us that it is factually distinguishable from this case. We do not think so. In that case, as in this one, a federal agency disseminated private information about the plaintiffs. In both cases the plaintiffs alleged and offered evidence that the information leak caused or aggravated stress-related symptoms — depression, paranoia, and withdrawal in Fitzpatrick and sleeplessness, anxiety, isolation and anger here. 665 F.2d at 328-29. No financial loss was shown in either case. See id. at 331 n. 7. This case and Fitzpatrick are not distinguishable; they are brothers if not twins.

Nor was our discussion of the meaning of “actual damages” in Fitzpatrick dicta. See generally Aron v. United States, 291 F.3d 708, 716 (11th Cir.2002) (Carnes, J., concurring) (“All that is said which is not necessary to the decision of an appeal given the facts and circumstances of the ease is dicta.”). We noted in Fitzpatrick that “the key issue, therefore, is the meaning of ‘actual damages’ in subsection (g)(4)(A) of the [Privacy] Act.” 665 F.2d at 329 (emphasis added). We then stated: “[W]e hold that ‘actual damages’ as used in the Privacy Act permits recovery only for proven pecuniary losses and not for generalized mental injuries, loss of reputation, embarrassment or other non-quantifiable injuries.” Id. at 331 (emphasis added). Our language was purposeful and fitted to the facts. We did not over-write. The central issue in Fitzpatrick was the meaning of the statutory term “actual damages” in the Privacy Act. See id. at 329-31. We came to a conclusion about that meaning— that it meant pecuniary losses only — and then relied on that meaning to hold that Fitzpatrick had failed to establish his claim. Id. at 331. The meaning of “actual damages” was “necessary to the decision,” Aron, 291 F.3d at 716; it was the sole basis we gave for denying Fitzpatrick’s claims for monetary damages. See Fitzpatrick, 665 F.2d at 331. It follows that our statement that “actual damages” under the Privacy Act means only pecuniary losses is a holding, and under the prior panel precedent rule we must follow it. See Swann v. S. Health Partners, Inc., 388 F.3d 834, 837 (11th Cir.2004) (“[W]e are bound by the holdings of earlier panels unless and until they are clearly overruled en banc or by the Supreme Court.”).

Unable to march around Fitzpatrick, Perkins and Qualls attempt to tunnel under it by arguing that its holding has been “undermined to the point of abrogation” by the Supreme Court’s decision in Doe, 540 U.S. at 616, 124 S.Ct. at 1206. The Doe decision did abrogate part of the Fitzpatrick decision, but not the part we have been talking about. Doe changed the landscape of the Privacy Act by holding that the statutory minimum of $1,000 in damages was not available unless the plaintiff suffered some amount of “actual damages.” Id. at 627, 124 S.Ct. at 1212. That overruled the part of Fitzpatrick that had granted that plaintiff the statutory $1,000 minimum even though he had failed to demonstrate actual damages. See 665 F.2d at 331. As a result, plaintiffs in Fitzpatrick’s shoes today, like Perkins and Qualls, are worse off than Fitzpatrick was in 1982, because after Doe they cannot get even the $1,000 statutory minimum without showing some actual damages.

In deciding that a plaintiff must show actual damages to receive the statutory minimum of $1,000, the Supreme Court specifically acknowledged the circuit split about the meaning of “actual damages” and declined to resolve it. Doe, 540 U.S. at 627 n. 12, 124 S.Ct. at 1212 n. 12. The Court noted:

The Courts of Appeals are divided on the precise definition of actual damages. Compare Fitzpatrick v. IRS, 665 F.2d 327, 331 (11th Cir.1982) (actual damages are restricted to pecuniary loss), with Johnson v. Department of Treasury, IRS, 700 F.2d 971, 972-74 (5th Cir.1983) (actual damages can cover adequately demonstrated mental anxiety even without any out-of-pocket loss). That issue is not before us, however....

Id. The Court’s refusal in Doe to resolve the circuit split about the definition of “actual damages” contradicts Perkins and Qualls’ argument that the Court overruled Fitzpatrick’s definition of that term.

Unable to undermine Fitzpatrick, Perkins and Qualls lay siege to it by arguing that most other circuits do not restrict “actual damages” under the Privacy Act to pecuniary losses. Admittedly, the Fifth and Tenth Circuits have stated that mental injury alone can qualify as “actual damages.” See Johnson, 700 F.2d at 972-74; Parks v. IRS, 618 F.2d 677, 682-83 (10th Cir.1980). But any number of assaults from other circuits cannot overrun one binding precedent from our own circuit. United States v. Hanna, 153 F.3d 1286, 1288 (11th Cir.1998) (“In this circuit, only the court of appeals sitting en banc, an overriding United States Supreme Court decision, or a change in the statutory law can overrule a previous panel decision.”); Swann, 388 F.3d at 837.

In any event, Fitzpatrick is not a lonely fort in a hostile countryside. It has allies. See Hudson v. Reno, 130 F.3d 1193, 1207 (6th Cir.1997) (“[T]he weight of authority suggests that actual damages under the Privacy Act do not include recovery for ‘mental injuries, loss of reputation, embarrassment or other non-quantifiable injuries.’ ”), overruled in part on other grounds by Pollard v. E.I. du Pont Nemours & Co., 532 U.S. 843, 121 S.Ct. 1946, 150 L.Ed.2d 62 (2001); Pope v. Bond, 641 F.Supp. 489, 501 (D.D.C.1986); DiMura v. FBI, 823 F.Supp. 45, 48 (D.Mass.1993).

Because none of Perkins and Qualls’ attacks on Fitzpatrick’s actual damages holding succeeds, that decision controls their claims for monetary damages. They have failed to show any pecuniary loss from the VA’s data security breach, and the summary judgment against their claims for monetary damages is due to be affirmed.

B.

We turn now to whether the grant of summary judgment against the claims seeking declaratory and injunctive relief was proper. The second amended complaint included nine counts alleging that the VA violated multiple statutes, including the Privacy Act, 5 U.S.C. § 552a; the E-Government Act of 2002, 44 U.S.C. § 3501 note; FISMA, 44 U.S.C. §§ 3541-48; the Trade Secrets Act, 18 U.S.C. § 1905; and the VBHITA, 38 U.S.C. §§ 5721-28. All of these claims were routed through the APA, 5 U.S.C. §§ 702-06.

1.

The district court granted summary judgment wholesale against all of Perkins and Qualls’ APA claims. After listing the nine claims, the court stated:

The court finds that the above allegations do not constitute “final agency action” as that term is defined by the APA.... The alleged final agency actions are failures by the defendants to comply with various provisions of federal statutes. There is no evidence that these failures can be attributed to a conscious decision by the VA to violate the law or that the VA was aware that the violations were occurring and did nothing to remedy them. In fact, after the external hard drive was reported missing, the VA investigated the disappearance and is now in the process of implementing new procedures to prevent a similar disclosure in the future. Therefore, summary judgment is due to be GRANTED on the plaintiffs’ nine claims for injunctive relief because there is no final agency action.

The gist of the district court’s reasoning was that the APA claims could not survive summary judgment because there was no evidence that the VA had consciously decided to violate the law and the procedures were being corrected.

The language of the APA does not state or imply, however, that an agency must consciously violate the law before a meritorious claim can arise. 5 U.S.C. § 706(1) (stating that a court may “compel agency action unlawfully withheld or unreasonably delayed”). Under Norton v. S. Utah Wilderness Alliance, 542 U.S. 55, 64, 124 S.Ct. 2373, 2379, 159 L.Ed.2d 137 (2004), a claim may proceed “where a plaintiff asserts that an agency failed to take a discrete agency action that it is required to take.” See also Nat’l Parks Conservation Ass’n v. Norton, 324 F.3d 1229, 1239 (11th Cir.2003) (“[W]here an agency is under an unequivocal statutory duty to act, failure so to act constitutes, in effect, an affirmative act that triggers ‘final agency action’ review.”); Sierra Club v. Thomas, 828 F.2d 783, 793 (D.C.Cir. 1987) (explaining that an agency’s failure to act when required by law to do so, either by an implicit refusal to act or simply by an unreasonable bureaucratic delay, is reviewable under the APA). Thus, whether the VA consciously decided to violate the law is not a necessary consideration in evaluating whether it did violate the law.

Nor do current efforts by the VA to remedy its many alleged violations of various statutes matter if it has not yet achieved full compliance. Of course, if the VA were fully compliant with all of the statutes it has allegedly violated, the APA claims would be moot. See S. Utah, 542 U.S. at 67-68, 124 S.Ct. at 2381-82 (holding two of the plaintiffs’ claims moot because they sought the creation of Bureau of Land Management plans, which were later created); Friends of the Wild Swan, Inc. v. EPA 130 F.Supp.2d 1184, 1192 (D.Mont.1999) (holding an APA claim moot when the EPA, thirteen years after its alleged duty arose, cured its failure to act by finally acting); Associated Builders & Contractors, Inc. v. Herman, 976 F.Supp. 1, 8 (D.D.C.1997) (holding an APA claim challenging an agency’s delay moot because the agency had finally acted).

But the VA has never argued that this case has become moot, and the sparse record gives us no reason to think that all of the alleged violations have been remedied since the second amended complaint was filed. And there is a wide gulf between the VA being “in the process” of implementing new procedures and it having those new procedures fully in place. Almost moot is not actually moot. See Buono v. Norton, 371 F.3d 543, 545 (9th Cir.2004) (“Defendants urge that, given the impending mootness of this case, the Court should avoid deciding the constitutional issues raised here.... We are not convinced. This case is not yet moot and may not be for a significant time ....”) (internal quotation marks omitted).

Summary judgment should not have been granted wholesale on the APA claims either because any violation was not the result of a conscious decision to violate the law or because relief supposedly was on the way. 1

2.

Not wanting to have to respond to the claims retail, the VA argues that wholesale summary judgment should be affirmed on the ground that Perkins and Qualls requested broad and programmatic relief against the VA’s entire information technology security system. Broad programmatic attacks against agencies are not permissible under the APA. Lujan v. Nat’l Wildlife Fed’n, 497 U.S. 871, 891, 893-94, 110 S.Ct. 3177, 3190-91, 111 L.Ed.2d 695 (1990).

In Lujan environmentalists challenged the Bureau of Land Management’s entire “land withdrawal review program.” 497 U.S. at 890, 110 S.Ct. at 3189. The plaintiffs alleged that the program was rife with violations of the law — that the agency had failed to revise land use plans properly, to submit recommendations to Congress, to evaluate multiple uses of the land, to give required public notice, and to issue adequate environmental impact statements. Id. at 891, 110 S.Ct. at 3190. Instead of describing specific failings and arguing that each one was a “final agency action,” the plaintiffs sought to have the entire program declared illegal. The Supreme Court did not allow that:

[R]espondent cannot seek wholesale improvement of this program by court decree, rather than in the offices of the Department or the halls of Congress, where programmatic improvements are normally made. Under the terms of the APA, respondent must direct its attack against some particular “agency action” that causes it harm.

Id., 110 S.Ct. at 3190. While it conceded that successful challenges to specific final agency actions might “have the effect of requiring a regulation, a series of regulations, or even a whole ‘program’ to be revised by the agency,” the Court refused to allow generalized attacks. Id. at 894, 110 S.Ct. at 3191. Systemic improvement and sweeping actions are for the other branches, not for the courts under the APA. Id.-, see also S. Utah, 542 U.S. at 64, 124 S.Ct. at 2379.

At first glance, Perkins and Qualls’ APA challenges seem broad and programmatic, and thus foreclosed by Lujan. Their second amended complaint, in its prayer for relief, does ask for sweeping changes to VA security procedures. However, as the Supreme Court implied in Lujan, the ban on generalized attacks does not prevent a plaintiff from bringing a handful of specialized challenges to specific “final agency actions” that, if successful, would have a broad impact on the agency’s program. A proper analysis must go claim by claim, identifying each one and determining whether it is based on a “final agency action.”

S.

While we might launch into that analysis ourselves, we think that the better course in this case is for the district court to perform the retail level, claim-by-claim analysis of the APA claims in the first instance. That will allow a more thorough and hierarchical approach to the decision making. Accordingly, we remand this part of the case to the district court to determine whether each one of Perkins and Qualls’ eight remaining claims seeking declaratory and injunctive relief is proper under the APA.

In making that determination the district court should keep in mind that any valid APA claim must challenge “agency action,” which is defined as “including] the whole or a part of an agency rule, order, license, sanction, relief or the equivalent or denial thereof, or failure to act.” 5 U.S.C. § 551(13). The terms “rule,” “order,” “license,” “sanction,” and “relief’ are individually defined by the APA. See 5 U.S.C. § 551(4-11). The phrase “or the equivalent” must be read cautiously because any agency step that is the “equivalent” of a narrow included term must also be narrow. S. Utah, 542 U.S. at 62, 124 S.Ct. at 2379.

If the claim attacks an agency’s action, instead of its failure to act, and the statute allegedly violated does not provide a private right of action, then the “agency action” must also be a “final agency action.” 5 U.S.C. § 704; see also S. Utah, 542 U.S. at 61-62, 124 S.Ct. at 2379; Norton, 324 F.3d at 1236 (“[F]ederal jurisdiction is similarly lacking when the administrative action in question is not ‘final’ within the meaning of 5 U.S.C. § 704.”). “To be considered ‘final,’ an agency’s action: (1) must mark the consummation of the agency’s decisionmaking process — it must not be of a merely tentative or interlocutory nature; and (2) must be one by which rights or obligations have been determined, or from which legal consequences will flow.” U.S. Steel Corp. v. Astrue, 495 F.3d 1272, 1280 (11th Cir. 2007) (quoting Bennett v. Spear, 520 U.S. 154, 177-78, 117 S.Ct. 1154, 1168, 137 L.Ed.2d 281 (1997)).

If the claim challenges a failure to act, see 5 U.S.C. § 551(13), it falls under 5 U.S.C. § 706(1), which allows courts to compel agency action “unlawfully withheld or unreasonably delayed.” In that case the claim may proceed only “where a plaintiff asserts that an agency failed to take a discrete agency action that it is required to take.” S. Utah, 542 U.S. at 64, 124 S.Ct. at 2380. “The important point is that a ‘failure to act’ is properly understood to be limited, as are the other items in § 551(13), to a discrete action.” Id. at 63, 124 S.Ct. at 2379.

On remand the district court should perform the required analysis for each of the eight remaining APA claims.

The judgment of the district court is AFFIRMED as to Count 9 of the second amended complaint and as to Counts 1 through 5 insofar as they seek monetary damages, but it is REVERSED and REMANDED as to Counts 1 through 8, insofar as they seek declaratory and injunctive relief under the APA, for further proceedings consistent with this opinion.

1 . This matters as to eight of the nine claims in the second amended complaint. Count 9 asserted that the VA failed to provide information security protections in violation of FIS-MA, 44 U.S.C. § 3541-48, but Perkins and Qualls have abandoned that claim by not pressing it before us. See Smith v. Allen, 502 F.3d 1255, 1263 n. 3 (11th Cir.2007) ("[Tissues not raised on appeal are considered abandoned.”); United States v. Mesa, 247 F.3d 1165, 1171 n. 6 (11th Cir.2001) (noting that an issue not raised during the defendant's initial appeal had been abandoned and was not part of the remand).